Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PTA009483.exe

Overview

General Information

Sample Name:PTA009483.exe
Analysis ID:532659
MD5:c32dc27c35f471c71e237b07cffc263d
SHA1:b8518918c8aeaaaf989e6361907debff3da0d6f6
SHA256:ae4bc61fdbd79efa881919084a9858bc02935ae6ed8644f246ff0f56d87d6e9f
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PTA009483.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\PTA009483.exe" MD5: C32DC27C35F471C71E237B07CFFC263D)
    • RegSvcs.exe (PID: 4500 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • WerFault.exe (PID: 6172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@devmetsan.com.tr", "Password": "Murat2019*", "Host": "mail.devmetsan.com.tr"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.PTA009483.exe.4121b08.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.PTA009483.exe.4121b08.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 20 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\PTA009483.exe" , ParentImage: C:\Users\user\Desktop\PTA009483.exe, ParentProcessId: 6544, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4500
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\PTA009483.exe" , ParentImage: C:\Users\user\Desktop\PTA009483.exe, ParentProcessId: 6544, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4500

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.0.RegSvcs.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@devmetsan.com.tr", "Password": "Murat2019*", "Host": "mail.devmetsan.com.tr"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PTA009483.exeVirustotal: Detection: 35%Perma Link
                      Source: PTA009483.exeMetadefender: Detection: 28%Perma Link
                      Source: PTA009483.exeReversingLabs: Detection: 67%
                      Source: 1.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.RegSvcs.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.RegSvcs.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: PTA009483.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: PTA009483.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: onfiguration.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: CustomMarshalers.pdb\ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.889612648.0000000004A1B000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.890239443.0000000002BEF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb`B source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: profapi.pdb; source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbG source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb/ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbzz source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.pdb{{ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: sxs.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: (PYo0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: wbemdisp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: clrjit.pdb= source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: WinTypes.pdb2 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: t.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.pdb3 source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: doC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbRegSvcs.exe$ source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: version.pdb1 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: CustomMarshalers.pdbCA source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: ole32.pdb# source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: vaultcli.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: powrprof.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbqk source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb"" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbL source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbI source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
                      Source: Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: fastprox.pdb0 source: WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdb=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT-7H source: RegSvcs.exe, 00000001.00000002.922939579.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: http://OGxUTf.com
                      Source: WerFault.exe, 00000012.00000003.913838802.00000000048E9000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.915756715.00000000048E7000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                      Source: Amcache.hve.18.drString found in binary or memory: http://upx.sf.net
                      Source: RegSvcs.exe, 00000001.00000000.885051928.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 1.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 1.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 1.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 1.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 1.0.RegSvcs.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 1.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: PTA009483.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_00D35196
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B6458
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016BE488
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B6788
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B7C21
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B6776
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B67C2
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B6C61
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B4F77
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B4F88
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B7CD1
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B7F58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02C146E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02C13D90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02C146D3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02C14650
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02C1D321
                      Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs PTA009483.exe
                      Source: PTA009483.exe, 00000000.00000002.674560826.0000000000D98000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSecurityRunti.exe@ vs PTA009483.exe
                      Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs PTA009483.exe
                      Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs PTA009483.exe
                      Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs PTA009483.exe
                      Source: PTA009483.exe, 00000000.00000002.677189654.0000000005F70000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs PTA009483.exe
                      Source: PTA009483.exeBinary or memory string: OriginalFilenameSecurityRunti.exe@ vs PTA009483.exe
                      Source: PTA009483.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: PTA009483.exeVirustotal: Detection: 35%
                      Source: PTA009483.exeMetadefender: Detection: 28%
                      Source: PTA009483.exeReversingLabs: Detection: 67%
                      Source: PTA009483.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PTA009483.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\PTA009483.exe "C:\Users\user\Desktop\PTA009483.exe"
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PTA009483.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PTA009483.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBC5.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@4/8@0/0
                      Source: C:\Users\user\Desktop\PTA009483.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4500
                      Source: PTA009483.exeString found in binary or memory: ../Images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: ../Images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: 7A7256%../Images/Play.gif'../Images/Pause.gif%../Images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: 7A7256%../Images/Play.gif'../Images/Pause.gif%../Images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: images/stop.gifp
                      Source: PTA009483.exeString found in binary or memory: images/stop.gifp
                      Source: PTA009483.exeString found in binary or memory: Images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: Images/stop.gif
                      Source: 1.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: PTA009483.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PTA009483.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: onfiguration.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: CustomMarshalers.pdb\ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.889612648.0000000004A1B000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.890239443.0000000002BEF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb`B source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: profapi.pdb; source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbG source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb/ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbzz source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.pdb{{ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: sxs.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: (PYo0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: wbemdisp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: clrjit.pdb= source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: WinTypes.pdb2 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: t.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.pdb3 source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: doC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbRegSvcs.exe$ source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: version.pdb1 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: CustomMarshalers.pdbCA source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: ole32.pdb# source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: vaultcli.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: powrprof.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbqk source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb"" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbL source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbI source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
                      Source: Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: fastprox.pdb0 source: WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdb=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT-7H source: RegSvcs.exe, 00000001.00000002.922939579.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B445A pushfd ; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.94597502339
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.PTA009483.exe.3105380.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\PTA009483.exe TID: 6548Thread sleep time: -40148s >= -30000s
                      Source: C:\Users\user\Desktop\PTA009483.exe TID: 4180Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\PTA009483.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1171
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8685
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PTA009483.exeThread delayed: delay time: 40148
                      Source: C:\Users\user\Desktop\PTA009483.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: Amcache.hve.18.drBinary or memory string: VMware
                      Source: Amcache.hve.18.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.18.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.18.drBinary or memory string: VMware Virtual USB Mouse
                      Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Amcache.hve.18.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
                      Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Amcache.hve.18.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.18.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.18.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.18.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.18.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.18.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 00000012.00000002.915837616.0000000004A00000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.915745395.00000000048E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.18.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.18.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.18.drBinary or memory string: VMware, Inc.me
                      Source: WerFault.exe, 00000012.00000002.915807830.00000000049C4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWP7
                      Source: Amcache.hve.18.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: Amcache.hve.18.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\PTA009483.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PTA009483.exeQueries volume information: C:\Users\user\Desktop\PTA009483.exe VolumeInformation
                      Source: C:\Users\user\Desktop\PTA009483.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PTA009483.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PTA009483.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PTA009483.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Amcache.hve.18.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PTA009483.exe.4121b08.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PTA009483.exe.40ec0e8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PTA009483.exe.4121b08.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PTA009483.exe.40ec0e8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.882714795.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.922268138.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.885072574.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6172, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PTA009483.exe.4121b08.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PTA009483.exe.40ec0e8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PTA009483.exe.4121b08.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PTA009483.exe.40ec0e8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.882714795.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.922268138.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.885072574.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6172, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping1Security Software Discovery231Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile and Directory Permissions Modification1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion141SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion141NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection12LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PTA009483.exe35%VirustotalBrowse
                      PTA009483.exe29%MetadefenderBrowse
                      PTA009483.exe68%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      1.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      1.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.RegSvcs.exe.400000.5.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.RegSvcs.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://OGxUTf.com0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                          		high
                          http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://DynDns.comDynDNSRegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                                		high
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://OGxUTf.comRegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                                      		high
                                      https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      http://upx.sf.netAmcache.hve.18.drfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                                                		high
                                                https://api.ipify.org%RegSvcs.exe, 00000001.00000000.885051928.0000000002E51000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		low
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpfalse
                                                    		high

                                                    Contacted IPs

                                                    No contacted IP infos

                                                    General Information

                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                    Analysis ID:532659
                                                    Start date:02.12.2021
                                                    Start time:15:43:33
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 7m 50s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:PTA009483.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:19
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.adwa.spyw.evad.winEXE@4/8@0/0
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 0.4% (good quality ratio 0.3%)
                                                    • Quality average: 46.2%
                                                    • Quality standard deviation: 31.7%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 92.122.145.220, 20.189.173.20
                                                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    15:44:31API Interceptor2x Sleep call for process: PTA009483.exe modified
                                                    15:44:45API Interceptor655x Sleep call for process: RegSvcs.exe modified
                                                    15:46:25API Interceptor1x Sleep call for process: WerFault.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASN

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_6e42c2ecbe67857e042102e8f977834d8ccb729_75d5926b_19ab143c\Report.wer
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):1.1283946255527386
                                                    Encrypted:false
                                                    SSDEEP:192:q1TGRdHBUZMXaaPXvJCM34/u7sxS274Itx:ES7BUZMXaapP34/u7sxX4Itx
                                                    MD5:FB494F6D1079583F303AF529BE398F91
                                                    SHA1:638029880F622D4B0E86D8ECE6A6E66B1B803D2D
                                                    SHA-256:72758ECAB5A6A104CD0E1E7E29CD7442FB4701D242937737A88AEA0AF53EB94D
                                                    SHA-512:020AF0CFC0C4FCA94B335DE25F99A497F2759701A60451C08436568F1C44AE16EFD86E9F0E1D3CA4063E6C8CBE6C83C0EEEF35D902DB915F50A61BE6900BF45B
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.2.9.9.7.5.5.8.2.7.4.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.9.2.9.9.8.4.3.3.2.6.9.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.8.b.a.1.7.4.-.b.b.a.3.-.4.9.e.9.-.9.8.0.d.-.3.3.3.a.5.a.1.6.d.6.c.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.9.3.b.3.2.e.-.c.1.9.f.-.4.7.b.9.-.a.d.a.e.-.5.5.e.2.0.e.1.7.0.5.5.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.9.4.-.0.0.0.1.-.0.0.1.b.-.2.8.5.4.-.1.5.1.e.8.b.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.7.b.a.2.a.1.1.1.c.e.d.d.5.b.f.5.2.3.2.2.4.b.3.f.1.c.f.e.5.8.e.e.c.7.c.2.f.d.c.
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBC5.tmp.dmp
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 14 streams, Thu Dec 2 14:46:17 2021, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):282834
                                                    Entropy (8bit):3.6930537398619316
                                                    Encrypted:false
                                                    SSDEEP:3072:L44yWeJHJFe/00ojd+px0giUCgUzajC9gIOgF5hqf+5yo02HM:LBtMHJN05px0Tj+C9RpDYfpv
                                                    MD5:806778AF9FEAB438E19410FA9ECF111E
                                                    SHA1:01E51CF951A8D1698386F8D49356CE1910231A8D
                                                    SHA-256:AA77F457EF152064E8A2A5DD37FD6012AB3FB6566B612BF63CE2BC7A9D03C06D
                                                    SHA-512:7585205B942FC69A934D0A8EA59D0D42C1578746F3FA9A3D2E0B5C2937EA5C9EF55AC341E4FAC57BC793526BE76F36F08E40F493DDDC54B37F723CC11ED2F769
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: MDMP....... .......9.a............D...........,...L.......t&...Q..........T.......8...........T...........h9..j...........x#..........d%...................................................................U...........B.......%......GenuineIntelW...........T.............a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF972.tmp.WERInternalMetadata.xml
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8344
                                                    Entropy (8bit):3.689777288726644
                                                    Encrypted:false
                                                    SSDEEP:192:Rrl7r3GLNiljv6vUhGIe6YRQO6B0gmfZ7Sk+prz89blFsf/3m:RrlsNiZv6h6YCO6B0gmflSslefO
                                                    MD5:DB89FB22CBA9105ACA2D6E686639A30C
                                                    SHA1:2E7DB0A299FA47967FF181FAA00B59C3B7C118F0
                                                    SHA-256:A0BFCEFB0D618F1E4254B7C11395CE4F674CA495DDFFCD720DDC6FD9D7968348
                                                    SHA-512:7B2EEC75A2CAAAD5804CEB8AFF95523B23E239C00D62FD887BDBE27B2C7155C1461655ECB4F98F0106F501297B554E50879FFB06D2B18983FAD792AC2D497810
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.0.0.<./.P.i.d.>.......
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD5B.tmp.xml
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4719
                                                    Entropy (8bit):4.441488186622842
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwSD8zsHrJgtWI9MyWSC8B78fm8M4JStjJ2Fb+q8vrtjJMP7id:uITfHFTTSNaJhKoP7id
                                                    MD5:D271EBED8599A4BCE1624C5728FC8824
                                                    SHA1:1F79B302FB7A3AEF0250A35A67484014559AD734
                                                    SHA-256:A5E6AAFCFEDE0F39F5E0FBD05ACA0AA98BA62F4D3FBAB1099C6B22C505AF98BA
                                                    SHA-512:D8F46A2B6F4E92F01FB912B3224FA702D73A5FDF8089F045F99855C26651070D28D171753885FAD4AD737E6F6424D92093183598560CC35DC1E2A529403FED3D
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1280156" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PTA009483.exe.log
                                                    Process:C:\Users\user\Desktop\PTA009483.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1968
                                                    Entropy (8bit):5.355630327889458
                                                    Encrypted:false
                                                    SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHxvjHKs:iqXeqm00YqhQnouRqjntIxHeqzTwRrqs
                                                    MD5:5216C7BA51383BFD6FACE8756C452F56
                                                    SHA1:9E34E791CF09C89CF2A8F0D57D48EC330AD29F93
                                                    SHA-256:502CE33AFDC9B4C6CCCB5069A7B700064608BEEA4138ED4DFA206F23D33D03B2
                                                    SHA-512:C1906EAC187E69D5B85384CB62C57713F03D4020DE941D97385DC3F2CAFECBACFD8AEC14E40AB34207ACD0319C368927A0F39F57F3BD135286FC83B207FB4FE4
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                    C:\Windows\System32\drivers\etc\hosts
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):835
                                                    Entropy (8bit):4.694294591169137
                                                    Encrypted:false
                                                    SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                    MD5:6EB47C1CF858E25486E42440074917F2
                                                    SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                    SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                    SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview: # Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1
                                                    C:\Windows\appcompat\Programs\Amcache.hve
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1572864
                                                    Entropy (8bit):4.245463977313784
                                                    Encrypted:false
                                                    SSDEEP:12288:T+p0L1jLfxGMiGNyiO9KNTOtBhMyHL2OGcJgZW16rXR56azT:Sp0L1jLfxGBGNyw2B
                                                    MD5:A67F7C4F5262D0C0C9151FC916238F7E
                                                    SHA1:0064F99693ED6AC58CFB7EE1D24CDCAD4EF0ED8F
                                                    SHA-256:C40EAFD182A32169C0FE5915D0FD0182D3AD9E0E9238FA558C618165309A60D7
                                                    SHA-512:9825689C05975DF6412A4907FC5EC546486441176A897D3BF724A1FC3D7286DE1B2A960AD3EF90950AF99926649F34C029132D166B6DC1F12125BA973E1510CA
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.).Z................................................................................................................................................................................................................................................................................................................................................}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):3.4224845856930766
                                                    Encrypted:false
                                                    SSDEEP:384:ofU5K5cPv4YgnVVeeDzeH1NKZtj/T8GSw61FOc7oOw:sSKUg/eeDzeVNYtjIGSw6ac7L
                                                    MD5:61EB23C0700A8DA675E5155FED8D22C7
                                                    SHA1:600A225C457071F582679A0CDFB2CEB105619DA9
                                                    SHA-256:5152221606054249108050F3D3F71624C53D41F305315A44C809E8025CED91A8
                                                    SHA-512:35B2BDD866A908CA152D30E0008A2FBBCF263512921AB5A65D134D21814FC999AF39F1102C79044640438C1BE87AEF0B7BEA544395A4BD18576456BB527260D1
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.).Z................................................................................................................................................................................................................................................................................................................................................{...HvLE.N......G...........qq..~>1...Eu....................... ..hbin................p.\..,..........nk,..).Z.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..).Z........ ........................... .......Z.......................Root........lf......Root....nk ..).Z.................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.93539046167478
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:PTA009483.exe
                                                    File size:546816
                                                    MD5:c32dc27c35f471c71e237b07cffc263d
                                                    SHA1:b8518918c8aeaaaf989e6361907debff3da0d6f6
                                                    SHA256:ae4bc61fdbd79efa881919084a9858bc02935ae6ed8644f246ff0f56d87d6e9f
                                                    SHA512:d8f4dde39c62d66a9cfa05728efa151e0d2342bd2ff4b94a85a156a8bed0420459592a22b2409fe2f42557cc3e70c4b5356f14e50df41fe81eabf689e589d11b
                                                    SSDEEP:12288:55pYcrq3cPeOQLqG+jW6XByT1AsZTSp3unxUJ3xs8+qUrH:DpYcrbbQLqG/+wxBZTbnCZG8+zrH
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I.a..............0..L..........:j... ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x486a3a
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x61A449D0 [Mon Nov 29 03:32:32 2021 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    sbb dword ptr [eax], eax
                                                    add byte ptr [edx], ah
                                                    pop dword ptr [eax]
                                                    add byte ptr [ecx], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x869e80x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x64c.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x84a500x84c00False0.942916151718data7.94597502339IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x880000x64c0x800False0.3447265625data3.55508289256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x8a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0x880900x3bcdata
                                                    RT_MANIFEST0x8845c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright Earthworks Garden Kare
                                                    Assembly Version5.4.0.0
                                                    InternalNameSecurityRunti.exe
                                                    FileVersion5.4.0.0
                                                    CompanyNameEarthworks Garden Kare
                                                    LegalTrademarks
                                                    CommentsPrecision Instrument
                                                    ProductNameWpfClassProject
                                                    ProductVersion5.4.0.0
                                                    FileDescriptionWpfClassProject
                                                    OriginalFilenameSecurityRunti.exe

                                                    Network Behavior

                                                    No network behavior found

                                                    Code Manipulations

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: PTA009483.exe PID: 6544 Parent PID: 2340

                                                    General

                                                    Start time:15:44:29
                                                    Start date:02/12/2021
                                                    Path:C:\Users\user\Desktop\PTA009483.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\PTA009483.exe"
                                                    Imagebase:0xd10000
                                                    File size:546816 bytes
                                                    MD5 hash:C32DC27C35F471C71E237B07CFFC263D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Analysis Process: RegSvcs.exe PID: 4500 Parent PID: 6544

                                                    General

                                                    Start time:15:44:32
                                                    Start date:02/12/2021
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Imagebase:0xab0000
                                                    File size:45152 bytes
                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.882714795.0000000002E58000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.922268138.0000000002E58000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.885072574.0000000002E58000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:high

                                                    Analysis Process: WerFault.exe PID: 6172 Parent PID: 4500

                                                    General

                                                    Start time:15:46:13
                                                    Start date:02/12/2021
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632
                                                    Imagebase:0x920000
                                                    File size:434592 bytes
                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:high

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >